devrand0m

@Dave-ee JonesI'm pretty sure it was complete. I got another one, almost identical in format, but slightly different content. I'm asking about the email title, but the body of the email is also suspect. Obfuscated in a strange way, but kind of looks like possibly base64 encoded hex code (assembly?). I just wasn't sure if it's safe to post the body here. (don't want to pwn anyone by accident.)

@WaterRideI'm in US so I can find a lot of on/offline courses, but can't tell which ones are worth the money. Also not sure what I need to study. Can't decide if I need to go back to school or study/take online courses on my own @digip Thanks for the detailed reply. I've been a Mac guy all my life (started with the original Mac). I think I'm just as capable as those Geniuses at Mac stores, but totally lost in Windows environment. I'm OK with Linux given the similarities with Mac, and have been getting better with Kali use. I'll look into your suggestions. I'm from hospital background. Totally amazed at how hospitals just completely trust the vendors; if Citrix or VMWare says everything is safe, that's good enough for them. I've never seen them do any pentest. Log in consists of first initial_last name followed by a number. Initial password is hospital name followed by some digits. Not required to change password after initial log in. How many people, do you think, didn't bother to change the initial password? I could probably find an account to log into with 20 min. of Hydra. Medical field really need pentesters, network security people, security minded CIO's (I've never seen any CIS0's in the local hospitals). I just wanted to go into hospital/medical information security in some capacity (haven't decided exactly what capacity).

Got a strange email with what kind of looked like obfuscated code. Usually just trash these, but this one had code looking thing in the title. =?UTF-8?b?VA==?=**(1S7LG9C102)***=?UTF-8?b?aA==?=**(1S7LG9C102)***=?UTF-8?b?YQ==?=**(1S7LG9C102)***=?UTF-8?b?bg==?=**(1S7LG9C102)***=?UTF-8?b?aw==?=**(1S7LG9C102)***=?UTF-8?b?Xw==?=**(1S7LG9C102)***=?UTF-8?b?eQ==?=**(1S7LG9C102)***=?UTF-8?b?bw==?=**(1S7LG9C102)***=?UTF-8?b?dQ==?=**(1S7LG9C102)***=?UTF-8?b?IQ==?=**(1S7LG9C102)***=?UTF-8?b?Vw==?=**(1S7LG9C102)***=?UTF-8?b?YQ==?=**(1S7LG9C102)***=?UTF-8?b?bA==?=**(1S7LG9C102)***=?UTF-8?b?Zw==?=**(1S7LG9C102)***=?UTF-8?b?cg==?=**(1S7LG9C102)***=?UTF-8?b?ZQ==?=**(1S7LG9C102)***=?UTF-8?b?ZQ==?=**(1S7LG9C102)***=?UTF-8?b?bg==?= I know UTF-8 points to encoding scheme, but I don't recognize this format at all. Doesn't look like web encoding or base 64. Anybody know what this is? Also, can the attacker force code execution with malware code in the title of email? PS I hope the above quote doesn't execute anything on anybody's computer, but if I'm quoting potential malware code, is there anyway to make it safer when posting? [edit] I got rid of the repeating elements in the above quote and got "VAaAYQbgawXweQbwdQIQVwYQbAZwcgZQZQbg==?=" which kind of looked like base64 but when I convert it I get "T€aàkðyðuWlprPeà" which doesn't make sense.

Just wondering if meterpreter reverse_tcp payload can connect back to local host that doesn't have metasploit installed. Is there a stand alone handler/listener that can work with meterpreter, or do I need to do full install of metasploit? Can programs like netcat listen for meterpreter inbound connection? BTW, are there any metasploit/pentesting forums around that's any good? Looked on Rapid7, but they have some sort of curated knowledge base, not really a forum.

What if ... I turned off the radio on my router, attached a Pineapple by ethernet to the router, and set-up Pineapple with same encryption (WPA2) and access point name. Shouldn't I be able to see ALL the network packets off of the Pineapple? (basically, MITM my home network). Shouldn't I be able to look at the 172.16.40.48 packet then since the Pineapple would not block the packet (until it got to the router firewall)? PS I haven't taken the Pineapple out of the box yet. Just got it ... I guess it's time to play...

digip, this is at home. Just me, my wife, and her son. My wife and her son are basically just digital users; I do all the network set-up, adding new equipment, etc. If I set my computer to 172.16.0.0/16 manually, would the firewall prevent me from seeing 172.16.40.48? What I mean is that the router seems to be stopping packets from 172.16.40.48 going into internet, but would it stop two machines, both on 172.16.0.0/16 from being able to see each other (like pinging each other)? Either way, it's so weird since except for my two laptops, everything else is configured for dhcp.

digininja, how would I get a hub or span port into a home wifi network? My AT&T Uverser modem is basically a fancy name for DSL modem that also does wifi and has ethernet ports for direct connections. I do have a Throwing Star LAN tap from the Hak5 store. Can I somehow use that to snoop the entire network's packets with Wireshark?

First question ... I was looking at the firewall log on my wireless router. There were number of entries that said that outbound connection was blocked due to invalid source IP. My router's dhcp range is 172.27.0.1 to 172.27.0.253 (254 is the router). The invalid IP is 172.16.40.48. How can this IP address even exist on my network? Even if someone manually assigned that IP to his/her computer, how can that even get routed to gateway? Also I only have around a dozen devices attached to this router and each devices is accounted for. How can I figure out what the invalid IP device is? Second question, kind of related. I was trying to figure out what was happening with my network so I fired up Wireshark hoping there would be some clue with regard to the spoofed IP above. Connected my laptop directly to the wireless router's ethernet port. Started Wireshark with the ethernet adapter in promiscuous mode. Tons of packets...however, after a while, I noticed one thing. To and from my computer, I could see all outbound and inbound packets. However, with other devices on the net, I could only see them when they were sending to broadcast address (255.255.255.255 or 172.27.0.255). I thought in promiscuous mode, I was supposed to be able see all packets, not just mine+broadcast. In addition to the IP problem above, I have an old XP box on my net that keeps trying to send out packets with invalid state to an unknown IP (actually an IP in China) which the firewall keeps blocking, and I'd like to examine the packets. Thanks.

Kind of a weird question...what kind of education is available/recommended for mid-career career change to information security/pen-testing/etc.? I'm in totally non-IT field, but seriously thinking about IT. Is taking courses and getting certified or getting a degree from places like SANS Institute worth it? Anybody know anything about them? How about certification from Offensive Security? Any other schools, courses, programs out there worth looking at? Community colleges? Those "for profit" technical colleges? Any advice other than "give it up" would be appreciated. Thanks.

I tried various scans again, this time per digip's -sC scan included with Wireshark running. With -sS scan with no VPN, all packets were dropped. With -sS scan through VPN, port 25 and 6881-89 had reset packets come back. However, from what I can tell, packets looked like they came from the VPN gateway! This was reported as ports closed rather than packets dropped by nmap. I guess VPN wants to stop use of these ports. HOWEVER, -sC scan revealed something more interesting. Open port on 8000. I tried connecting with browser. Any other port just hangs. This port actively sends out resets. Tried with nc, ssh, telnet, etc. nc and telnet connects but do not get any responses from any commands then the connection is reset/closed. ssh comes back with "ssh_exchange_identification: Connection closed by remote host." Usually, my MacOS ssh either hangs or just "connection reset by remote host", not this ssh_exchange error message. I'm starting to think there may be a ssh back door that is set to connect with certain certificates. The original NoMotion blog was about ATT routers having vulnerabilities as well as couple of back doors.

Wen to https://haveibeenpwned.com. 2 of the 8 email addresses I currently use have been compromised. Both were from Dropbox hack. That sounds like something that could have wound up on the Dark web. It was from a 2012 hack. I'm pretty sure I changed my passwords since then, but I'm going to change them again just to be safe. The other compromise came from stupid restaurant guide I don't even remember using. Web sites really should stop using emails as log-ins. I'm pretty sure I used my bogus, "I'll likely use this web site once" type password there (I use a throw away password. I change it to something decent after I decide to continue using the site). Thanks for the advice on the Dark web. I just thought they were just cumbersome to get to, but never thought of them as drive-by hack sites. I guess I just need to have my antenna up more from now on. Thank you again for your advice, digip.

I did the Dark web email search on Experian site (competitor credit bureau to Equifax). I thought initially that it was a scare tactic marketing ploy to sign up for their ID theft monitoring service, but when I did the search with my other emails, there were no hits (did them as separate searches). Their report didn't say which password combination was seen; just that my email was mentioned somewhere on the Dark web. Great idea on https://haveibeenpwned.com. I'll definitely check it out. Thanks for your advice, digip.

I wasn't sure where to turn to so I'm writing here. I've been seeing a lot of talk about the Equifax hack (i.e. Shannon's Threatwire). Got worried. Started going thru all the credit bureau sites. Found Dark web email scanner on Experian. Sure enough, it says one of my emails had a hit. Problem is that since so many web sites make you use your email for log in name, I'm not sure if my email password is on the Dark web or if my sign in credential to some web site is on the Dark web. I don't know anything about Dark web. Can someone point me in the right direction on how to figure this out? I'm totally paranoid now.

Thanks for the input guys. I never knew ISP's modified traffic. The my home is in the suburbs and the office is in downtown. The market is pretty much just dominated by two players ... AT&T and Time Warner. My VPN connection was to a commercial VPN service server in different state. If local AT&T or TW networks are dropping packets (I didn't know they did that), then the scan through VPN could be more accurate. Which doesn't please me since that scan was the one with open SMTP and torrent ports. That could mean I could have unauthorized mail and torrent services running on my router which means that my router is pwned. Any way to figure out if my router is compromised? BTW, do you know how I can find Ear Trumpet especially if it runs on modern Windows, Linux, or MacOS? ( I have machines running all the OS's so any version would do. Actually, how would you connect a regular desktop directly to public IP address anyways? ) And yes, I have permission to scan... I own the business on the first floor the AT&T, unoccupied residential unit on second floor with Time Warner (I use it sometimes if I'm too tired to go home...50 mile drive home), and I own the entire building as a whole. Unless I'm supposed to ask for permission from my ISP's.

Some of you guys may have read the recent blog post from nomotion.net about AT&T Uverse Arris modem vulnerabilities. I have Uverse at my office. The modem is a different model, but I decided to see if there were any open ports just in case. I went home and ran nmap scan against it. ( nmap -v -Pn -sS -p1-65535 <my.ip.address>). All ports were reported as no response by nmap. I have a separate Uverse service on different floor so I ran exactly same command on the second IP from different Kali machine at home. Port 25 and a bunch of bittorrent ports showed up this time ( although all reported as closed). I decided to run nmap again against the first modem/IP again. This time, port 25 and bittorrent ports showed up. Only difference between the first scan and second/third scan was that the machine running second/third scan had vpn on. Otherwise both my laptops were running same version of Kali/nmap. Any ideas how nmap running directly through home network would give different results than running through vpn?